FLIR Thermal Camera F/FC/PT/D 8.0.0.64 Information Disclosure via File Reading

Advisories

severity: high
date: January 7, 2026
Affecting: FLIR Thermal Camera F/FC/PT/D 8.0.0.64
CVE: CVE-2017-20212
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS: 8.7
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References: Zero Science Lab Vulnerability Advisory
Exploit Database Entry 42786
Packet Storm Security Exploit Archive
CXSecurity Vulnerability Listing
Archived FLIR Security Advisory
Credit: LiquidWorm as Gjoko Krstic of Zero Science Lab
Description: FLIR Thermal Camera F/FC/PT/D firmware version 8.0.0.64 contains an information disclosure vulnerability that allows unauthenticated attackers to read arbitrary files through unverified input parameters. Attackers can exploit the /var/www/data/controllers/api/xml.php readFile() function to access local system files without authentication.